January 31, 2020 by Greg Meckbach
If you are placing commercial cyber coverage, pay attention to what the various insurers’ policies say about war and terrorism, a commercial broker advises.
“I would not say it’s an obscure little corner of your insurance policy,” Tom Srail, executive vice president of the cyber risk team at Willis Towers Watson, said Thursday of war and terrorism language in cyber insurance. “It’s very important, especially in the climate we live in today, where politicians – be they prime ministers or presidents – run out and scream, or tweet out ‘This was an act of war,’” Srail said Thursday during Quarterly Cyber Risk Trends: 2019 Wrap-up, a webinar hosted by Advisen Ltd.
The war exclusion is in all polices generally, not just cyber, Lindsey Nelson, U.K. and international cyber team leader for CFC Underwriting, said during the webinar Thursday.
“I haven’t seen a case where we brought in the Canadian prime minister’s tweet as evidence in a claim denial, but that’s probably not too far-fetched in the world that we live in today,” said Srail. “So that’s definitely something that I think warrants attention. There is not a standardized way of doing it.”
Many cyber policies exclude war but some have a carve-back where terrorist incidents are covered, said Srail.
Panelists were asked about the current geopolitical climate and what impact cyber attacks from nation states might have on cyber policy wording. “There are no recorded instances of a standalone cyber market denying a claim due to the identity of the threat actor, whether it be terrorists, or nation states, or a criminal gang,” said Nelson.
There have been media reports about large corporate victims of the NotPetya attack having their claims denied. But those claims were on property rather than stand-alone cyber polices, suggested Nelson and Srail.
“My clients are very uneasy about war exclusions, even when there is a cyber terrorism carve-back,” said Srail, adding that different insurers take different approaches.
Recently there has been concern in some circles that the Iranian government might try to damage a nation’s critical infrastructure through cyber attacks, suggested Adam Cottini, director of business development, Americas insurance and legal verticals, at Crowdstrike Inc., an information technology security vendor.
“When you look at organized crime and nation states, those are the types of actors that we know are using sophisticated tools,” Cottini said during the webinar. “Some of those tools were in fact stolen from three-letter agencies in the United States.” Those tools have since gotten into the hands of organized crime organizations in rogue nations, he suggested.
“Under normal conditions, we wouldn’t seek to exclude any cyber claim and we wouldn’t expect the cyber market to exclude the claim just because the threat actor was attributed to being a state actor,” said Nelson. “Cyber policies never really intended to exclude cyber claims based on who that threat actor is, and it’s nothing new to see those attacks from nation states.”
The war exclusion in insurance is nothing new, nor is the trend of cyber attacks launched by state actors.
“What has brought this into the forefront is the escalation of tensions between the U.S. and Iran,” said Nelson. “In previous conflicts, courts have applied an incredibly narrow interpretation of the war exclusion on property policies,” said Nelson. “We would expect the same to apply to cyber polices as well. If tensions do escalate and result in electronic warfare, of course there is potential for the war exclusion to be evoked in an extreme event. But if we are operating under those conditions, the world is going to look very very different at that time.”